I don’t want to dump on a company who as nears as I can tell has been good at it’s job. It “feels” like they are able to prevent some of the barbarians attempt to break into desktops and servers all around the world. And by some accounts the hacking groups do attempt to sense/figure out if a computer has Crowdstrike installed. So they are aware of it, and do what they can to work around it. But today, July 19th 2024 is not good. With all the infrastructure and sensors and installs and binding tightly to the operating system (and we’re talking MS Windows here). And yes, sometimes dear Pogo possum, yes. We have met the enemy,…
I say that in part because these are the remediation steps as presented unto countless thousands of IT folks worldwide. And to say it’s not a good User Experience is truly damning with faint praise.
Here now are the directions as communicated
Summar
- CrowdStrike is aware of reports of crashes on Windows hosts related to the Falcon Sensor.
Details
- Symptoms include hosts experiencing a bugcheckblue screen error related to the Falcon Sensor.
- This issue is not impacting Mac- or Linux-based hosts
- Channel file “C-00000291*.sys” with timestamp of 0527 UTC or later is the reverted (good) version.
Current Action
- CrowdStrike Engineering has identified a content deployment related to this issue and reverted those changes.
- If hosts are still crashing and unable to stay online to receive the Channel File Changes, the following steps
- can be used to workaround this issue:
Workaround Steps for individual hosts:
- Reboot the host to give it an opportunity to download the reverted channel file. If the host crashes again, then:
- Boot Windows into Safe Mode or the Windows Recovery Environment
- Navigate to the C:WindowsSystem32driversCrowdStrike directory
- Locate the file matching “C-00000291*.sys”, and delete it.
- Boot the host normally.
Note: Bitlocker-encrypted hosts may require a recovery key. Please contact the Service Desk at xxx-xxx-xxx
Workaround Steps for public cloud or similar environment:
Reattach the fixed volume to the impacted virtual server
Detach the operating system disk volume from the impacted virtual server
Create a snapshot or backup of the disk volume before proceeding further as a precaution against unintended changes
Attach/mount the volume to to a new virtual server
Navigate to the C:WindowsSystem32driversCrowdStrike directory
Locate the file matching “C-00000291*.sys”, and delete it.
Detach the volume from the new virtual server
Carpet Bomberz Inc. 